The Impossibility of Non-Signaling Privacy Amplification 

Esther HanggP, Renato Renner'', Stefan WolP 

" Computer Science Department, ETH Zurich, CH-8092 Zurich, Switzerland. 

{ esther.haenggi, wolf} @inf. ethz. ch 
^ Institute for Theoretical Physics, ETH Zurich, CH-8093 Zurich, Switzerland 

renner@phys .ethz. ch 



Abstract 

Barrett, Hardy, and Kent have shown in 2005 that protocols for quantum key agree- 
ment exist the security of which can be proven under the assumption that quantum or 
relativity theory is correct. More precisely, this is based on the non-local behavior of 
certain quantum systems, combined with the non-signaling postulate from relativity. An 
advantage is that the resulting security is independent of what (quantum) systems the 
legitimate parties' devices operate on: they do not have to be trusted. Unfortunately, 
the protocol proposed by Barrett et al. cannot tolerate any errors caused by noise in 
the quantum channel. Furthermore, even in the error-free case it is inefficient: its com- 
munication complexity is Q[l/e) when forcing the attacker's information below e, even 
if only a single key bit is generated. Potentially, the problem can be solved by privacy 
amplification of relativistic — or non-signaling — secrecy. We show, however, that such 
privacy amplification is impossible with respect to the most important form of non-local 
behavior, and application of arbitrary hash functions. 

Key words: Device-independent security, quantum key agreement. Bell inequalities, 
non-locality, cryptography 



1. Introduction, Motivation, and Our Contribution 

1.1. What is Relativistic Cryptography? 

The security of relativistic cryptography can be proven under the sole assumption 
that the non-signaling postulate of relativity theory is correct. The latter states that 
information transmission faster than at the speed of Hght is impossible. The basic idea, 
as proposed by Barrett, Hardy, and Kent y, is as follows: By communication over a 
quantum channel, two parties, Alice and Bob, generate some shared entangled quantum 
state. They then can carry out measurements and use an authentic classical channel to 
determine the resulting correlation of their respective data. 

So far, this is entanglement-based quantum cryptography as proposed by Ekert l3 



some years after the first quantum key distribution protocol, proposed by Bennett and 



1 Interestingly, the title of Ekert's celebrated article, "Quantum cryptography based on Bell's theo- 
rem," suits much more precisely — and might have anticipated in some way — the idea of relativistic 
cryptography based on non-local correlations: Here, the security proof is directly based on Bell's theorem, 
which is not the case for Ekert's protocol. 



Brassard 0] that is not based on entanglement at all. Let us quickly follow Ekert's path: 
From the correlations, they conclude on error rates and adversarial information and 
generate a key, the security of which can be proven based on the assumption that quantum 
physics with all its Hilbert-space formalism is correct [2l|. An additional assumption that 
usually has to be made is that the devices operate on specified quantum systems of given 
dimension (e.g., single polarized photons); the security is lost when the actual systems 
are different (e.g., pairs of photons). The question of device- independent security has 
been raised already in It was shown that under certain restrictions on the type of 
possible attacks, namely to so-called collective, i.e., i.i.d., attacks, it can be achievable 
at the price of a lower key-generation rate. 

Let us now turn back to relativistic cryptography: Here, Alice and Bob carry out 
measurements on their respective systems in a space-Hke separated fashion (to exclude 
signaling), and this will allow them to conclude privacy directly from the correlations of 
their resulting data. The proofs then hold for whatever quantum systems the devices 
operate on; no Hilbert space formalism is used, only classical information theory. Actu- 
ally, the assumption is not even necessary that the possibilities of what an adversary can 
do is Hmited by quantum physics. Quantum physics guarantees the protocol to work, 
i.e., estabHshes the expected correlations, the occurrence of which can be verified, but 
the security is completely independent of quantum physics. An interesting consequence 
is that protocols can be given which are secure if either quantum physics or relativity 
(or both, of course) is correct. 

How can it be possible to derive secrecy from correlations alone? In quantum physics, 
this effect is well-known: Quantum correlations, called entanglement, are monogamous 
to some extent j23|. If Alice and Bob are maximally entangled, then Eve must be out of 
the picture. But classically, we do not know such an effect: If Alice and Bob have highly 
correlated bits. Eve can nevertheless know them. The point is that we have to look at 
correlations of systems, i.e., bipartite input-output behaviors. 

John Bell has proven in 1964 Q that entangled quantum states can display non-local 
correlations under measurements. More precisely, the system consists of the choice of 
the particular measurement to be carried out — the inputs — and the corresponding 
outcomes — the outputs. Bell's work was a reply to Einstein, Podolsky, and Rosen's 
claim that quantum physics was incomplete and should be augmented by classical 
variables determining the behavior of every system under any possible measurement. Bell 
proved that such a thing is impossible: these variables do not exist. This is what can 
be exploited cryptographically: If they do not exist, then no adversary can have known 
them before a measurement was carried out. 

We explain this in more detail and start with a closer look at systems and correlations. 



1.2. Systems, Correlations, and Non-Locality 

In order to explain the essence of non-locality, we introduce the notion of two-partite 
systems, defined by their joint input-output behavior Pxy\uv (see Figure[l]). We classify 
systems by the correlation they introduce and by the resource required to explain the 
joint behavior of its parts. 

Definition 1. A system is a bi- (or more-) partite conditional probability distribution 
PxY\uv- A system Pxy\uv is independent if Pxy\uv — Px\u ' Py\v- It is local if 
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Figure 1: A two-partite system. 

PxY\uv = J2^=i'^iPx\u^Y\v holds for some weights Wi > and conditional distri- 
butions Px\u cind Py^y, i — 1, . . . ,n. A system is signaling if it allows for message 
transmission, i.e., there exist Pu and Py such that I{X;V\U) > or I{Y;U\V) > oH. 
We call a non-signaling system a box. 

In terms of classical resources required to establish them, these categories correspond 
to no resources at all, shared information, and message transmission, respectively. Of 
interest for us will be systems that are neither local nor signaling, i.e., non-local boxes. 
Communication is required to explain their behavior classically, but for some of them, 
distributed quantum information is sufficient. Note that because they are non-signaling, 
this does not contradict relativity. We give an alternative characterization of locality. 

Lemma 1. For any system Pxy\uv , where U and V are the ranges of U and V , respec- 
tively, the following conditions are equivalent: 

1. PxY\uv is local, 

2. there exist random variables (u £U) and (v ^ V) with a joint distribution 
that is such that the marginals satisfy Px^y^ — Pxy\u=u,v=v 

Proof. Assume first that Pxy\uv is local, i.e., Pxy\uv = J2'^i^x\u^Y\v ^'^^ ^ ~ 
{ui,U2, ■ ■ ■ ,Um} and V = {vi,V2, ■ ■ ■ , v„}, define 

^-x„j---x„„y„i--y„„ {xi, . . . ,Xm,yi, . . . ,y„) := 

This distribution has the desired property. 

To see the reverse direction, let ■ ■ ■ X^^Yy^ ■ ■ ■ Yy^ be the shared randomness w. 

□ 

Intuitively speaking, we can simply forget about the inputs, and all the alternative 
outputs can be put under the roof of a single joint distribution (see Figure [l]). 



^ Alternatively, signaling systems can be defined as systems which are not non-signaling; a non- 
signaling system being one for which 

'^PxY\uv{^>y>'>^^'") = X^-Pxyl(7v(a;,?/,'ii',f) for all y, , 

X X 

X^-Pxy|c/v(2:,y, f) = y^,PxY\uv{^,y,u,v') for all x,u,v,v' 

y y 
holds. The two definitions are equivalent. 
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Figure 2: Locality is realism. 



Lemma [T] connects locality with so-called realism: All the outputs to the alternative 
inputs "co-exist" — and can, hence, be pre-selected — in a consistent way. In other 
words, non- locality necessarily means that certain data do not exist before an input is 
provided on the respective side. 

1.3. Non-Locality Implies Secrecy 

In order to explain this more explicitly, let us consider a specific example of a system. 

Definition 2. (2(i | A Popescu-Rohrlich box (or PR box for short) is the following two- 
partite system Pxy\uv' The random variable X is a random bit, given the pair (U, V), 
and we have 

Prob [X®Y = U-V] = 1 . (1) 

Bell's theorem states that this system is indeed non-local. More precisely, any system 
that behaves like a PR box with probability superior to 75% is. Interestingly, the proba- 
bilities coming from measurements on bipartite entangled quantum states — considering 
the choice of a measurement as the input and the measurement result as the output — 
can achieve roughly 85%. 

Theorem 2. (John Bell, 1964 j5|.) Any system that behaves like a PR box with 
probability > 75% for random inputs is non-local. 

Proof sketch. Lemma [1] states that a system is local only if the alternative outputs 
(i.e., outputs to alternative inputs) consistently co-exist. In the case of the PR box, this 
corresponds to a joint distribution of four bits PxoXiYoYi such that Prob [Xq = Yq] = 
Prob [Xo = Yi] = Prob [Xi = Yq] ^ 1 and Prob [Xi ^ Yi] = 1 hold. These conditions 
are contradictory: Only three out of the four can be satisfied at a time. □ 

Note that although in terms of classical resources, the behavior of a PR box can be 
explained by message transmission only, the system is actually non-signahng: X and Y 
separately are perfectly random bits and independent of the input pair. On the other 
hand, a system Pxy\uv (where all variables are bits) satisfying ^ is non-signaling 
only if the outputs are completely unbiased, given the input pair, i.e., Px\u=u,v=v{(^) — 
Py\u=u,v=v{Q) = 1/2. In other words, the output bit cannot be pre-determined, not 
even slightly biased. The outputs are, hence, perfectly random and the randomness 
must have been generated after input reception. This is what we can make use of for 
key agreement: Assume that AHce and Bob share any kind of physical system, carry 
out space-like separated measurements (hereby excluding message transmission), and 
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measure data having the statistics of a PR box. (In order to test this, they exchange 
all the input bits and some randomly chosen outputs.) The resulting data are then 
perfectly secret bits, because even conditioned on an adversary's complete information, 
the correlation between Alice and Bob must be non-signaling! 

Unfortunately, however, perfect PR boxes do not exist in nature: Quantum physics 
is non-local, but not maximalljU. Can we still obtain virtually secret bits from weaker, 
quantum-physically achievable, non-locality? Barrett, Hardy, and Kent j3| have shown 
that the answer is yes; but their protocol is inefficient: In order to reduce the probability 
that the adversary learns a generated bit shared by Alice and Bob below e, they have to 
communicate B(l/£) Qbits. Barrett et al.^s protocol and its analysis are based on a type 
of non-locality different from the one modeled by the PR box — the latter is typically 
referred to as CHSH non-locality. 

Masanes and Winter [3| proposed to use a number of 85%-approximations to the 
PR box (this is achievable with so-called singlets, i.e., maximally entangled Qbit pairs j^. 
Indeed, any, even weak, non-locality implies some secrecy, but no perfect secrecy in 
general. In order to illustrate this, consider a system approximating a PR box with 
probability 1 — e for all inputs. More precisely, we have 

Prob [X(SY ■ V\U = u,V = v] = 1 - e (2) 

for all {u,v) £ {0, 1}^. Then, what is the maximal possible bias 

p:=Prob [X = 0\U = 0,V = 0] 

such that the system is non-signaling? 



u 


Px\U=u,V=v{0) 


Py\U=u,V=v{0) 


V 





P 


p-e 
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p — e 


1 
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p-2s 


p — e 





1 


p-2e 


p-e 


1 



We explain the table: Because of |[2|), the bias of Y, given U — V — 0, must be at 
least p — e. Because of non-signaling, X^s bias must be p as well when V — 1, and so 
on. Finally, condition ^ for U = V = 1 implies p — e — [1 — {p — 2e)) < e, hence, 
P < 1/2 -I- 2e. For any e < 1/4, this is a non-trivial bound. (This reflects the fact that 
e — 1/4 is the "local limit," as we have seen in the proof of Bell's theorem.) If we apply 
this, conditioned on Eve's knowledge, we obtain a lower bound on her uncertainty which 
is the better the stronger the non- locality is. (A special case is what we have seen above 
already: maximal CHSH non-locality leads to perfect secrecy.) 

In this paper we consider privacy ampliflcation appHed to the outputs of non-local 
boxes. Privacy ampliflcation is a concept well-known from classical and 



^It is a fundamental question, studied by many researchers, why this is the case. Is there a classical 
significance to the 85%-bound? 

■^The analysis of privacy amplification given in the original paper [l^ led to a result which seems 
to be in contradiction to our claim that privacy amplification is impossible. In the mean-time it has 
been realized that the security definition used in [l9l | is incomplete and would only be sufficient if the 
adversary had to measure before the hash function becomes public (see ^3 for a revised version). 
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quantum cryptography, and means transforming a weakly secret string into a highly 
secret key by hashing. Because the security of privacy amplification ultimately depends 
on the abilities of an adversary, security in the context of an adversary governed by 



quantum mechanics [2l| does not necessarily imply security in the context of an adversary 
only restricted by the non-signaling condition (modeled by the boxes introduced above) . 
In this latter context, security is only known to hold under the additional assumption 
that the adversary can only attack each of the boxes separately 0], [131, 01 ■ In general, 
however, an adversary may of course attack all of them jointly (corresponding to a 
coherent attaclJl). Such a more general scenario has been considered by Masanes 
(see also where the non-signaling postulate is imposed not only between the different 
parties, but also between subsystems held by one party. In this case, privacy amplification 
is indeed possible, but this solution requires n devices which are space-like separated and 
is therefore not practical. We consider the general situation where only a space-like 
separation between Alice and Bob is imposed and Eve can make arbitrary attacks. 

1.4. Our Result: Amplification of Relativistic Privacy is Impossible 

We state our main result informally. We look at the following scenario: in a first 
phase Alice and Bob have access to n realizations of a (1 — e)-approximation of a PR 
box. In a second phase, they can communicate over an authentic but public classical 
channel, and apply arbitrary one-bit-output functions to their data set. We then show 
that, for any such function, they can only reduce the information that a general non- 
signaling adversary can have about the bit, when compared to the raw bits output by 
the boxes, by at most a factor 4. In other words, privacy amplification by hashing is 
impossible in the relativistic-cryptography setting. 

1.5. Outline 

The rest of our paper is organized as follows. In Section 2, we describe the general set 
of possible strategies of a non-signaling adversary. In Section 3, we illustrate the power of 
a non-signaling adversary by showing that the XOR of n boxes' output bits is not more 
secure against a non-signaling attack than a single bit — quite the opposite, in fact. 
We also describe one concrete (good) adversarial strategy, which allows the adversary to 
obtain high information about the key bit. This is a special case of our general privacy- 
amplification no-go result stated in Section 4, which shows that privacy amplification by 
any hash function is impossible. 



2. Preliminaries 

2.1. Purification of Bipartite Non-Signaling System^ 

Assume Alice and Bob share a box. When we take the adversary into account, we get 
a three-partite scenario. The goal of this section is to reduce this tripartite scenario to 



'In quantum mechanics, three types of attacks — individual, collective and coherent attacks — are 
generally considered [lol |. 0|. In an individual attack, the eavesdropper attacks and measures 

each system identically and independently; in a collective attack the adversary still attacks each system 
identically and independently, but can make a joint measurement; finally the strongest attack is a 
coherent attack, where no restrictions apply. 

^In quantum mechanics, the purification of a bipartite state is the extension of the state to a third 
party such that the overall state is pure. 
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a bipartite one: Given the box Alice and Bob share, what is the most general extension 
to a third party? This third party will take the role of the adversary. 



According to the non-signaling assumption, even the three-partite scenario including 
the eavesdropper must not allow for signaling. For instance, we hav^ P{xy\uvw) = 
P{xy\uv) and P{x\u) = P{x\uv), and so on. 



u- 
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PxYZ\UVW 











Bob 



Y 



W Z 
Eve 



Figure 3: The three-partite scenario including the eavesdropper. 

Note that because of the non-signaling property, the marginal box (in the very same 
sense as a marginal probability distribution) of Alice and Bob is well-defined: Their 
input-output statistics do not depend on what the adversary does, i.e., inputs. 

The marginal system Pxy\uv corresponds to a box. We will use the notation X {Y, 
U, V) for binary random variables, boldface letters X for rt-bit random variables and Xi 
for the i'th random bit. The values that the random variable take will be denoted by 
lower-case letters. Note that considering only a single box includes the case where Alice 
and Bob share many boxes, because these can be seen as one box as long as Alice and 
Bob each give all their inputs simultaneousljU. Eve can then attack all these boxes at 
once through a single input/output interface. This is analoguos to an Eve being capable 
of doing collective attacks in quantum key distribution. Eve's random variables W and Z 
can have any range. Eve's input w corresponds to the choice of her strategy. In general, 
we must assume that Eve can delay her choice until all other parameters are known. In 
an informal way, we can write Eve's possibilities as 
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P{z'o\w') ■ 


A B 


+ p{z'^\w') ■ 


A B 
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Eve's strategy w corresponds to a decomposition of Alice's and Bob's box. Her 
measurement result z tells her which part of the decomposition occurred. 



^For the sake of simplicity, we drop indices that name the random variables when they are obvious. 
*More precisely, Alice gives all her inputs at a given point in space-time and likewise for Bob 
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Definition 3. A box partitioi^ of a given box Pxy|uv is a family of pairs 

XY|UV 



where is a weight and P^^m^r is a box, such that 



XYIUV-* 



XY|UV 



■P. 



XY|UV 



(3) 



Because of the non-signaUng condition, the marginal distribution of Alice and Bob must 
be the same, no matter Eve's strategy. The fact that any two parties cannot signal to 
the third party (for example, AHce and Eve together cannot signal to Bob) impHes that 
every box defined by the behavior of the box shared by AHce and Bob conditioned on 
an outcome z, Pxy\w,w=w,z=z, must be non-signaling. This is, therefore, the most 
general way to describe a valid strategy of Eve as stated by the following lemmas. 

Lemma 3. For any given tripartite box Pxyz\uvw (in-V input w induces a box partition 



XY\UV ■~ PxY]UV,Z=z,W=w- 



parametrized by z: p^ ■.— p{z\w), 
Lemma 4. Given a bipartite box Pxy\uv Ist W be a set of box partitions 

w^{{p",PxY\uv)}z ■ 
Then the tripartite box, where the input of the third part is w G W, defined by 

PxYZ\UV,W=w{z) ■- 
box PxY\ uv- 



P ^XY\UV 



is non-signaling and has 



From now on, w will stand for a certain box partition, i.e., an adversarial strategy. 
We are interested in the question: Which type of box, given outcome z, can occur with 
what probability p^? Let us show that in order to answer this question, it is enough to 
look at the case where Eve only has two possible measurement outcomes zq and zi, as 
all other outcomes can be wrapped into a single one. The reason is that the space of 
non-signaling boxes is convex. We have 



A B 


= p'-" ■ 


A B 


+ p'-'^ ■ 


A B 


H hp''- • 


A B 






zo 




z\ 




z\ 




where p^^ = p^ 



Lemma 5. (p^" j -FxV| j/v) '^'^ element of a box partition with m elements, then it is 
also an element of a box partition with only two elements. 



^This is analogous to quantum mechanics, where bipartite states are described by density operators 
PAB and where any measurement on a purifying system corresponds to a partition of the form pAB = 
"^zP^Pab^ where p\g is the state conditioned on the measurement outcome z. 
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Proof. We define the probability of outcome zi as — p^'^ + ■ ■ ■ and the box given 

outcome zi as 



^XY|UV jjzi L^t> -^XYIUV ■ 

The marginal distribution defined in this way is the one expected by Alice and Bob 
because of 



P -'XY|UV+^' -^XYIUV - P -^XYIUV + Z^P ^XY|UV - -^XYIUV 



1=1 

It remains to show that -Pxy|uv ^ valid non-signaling probability distribution. The 
convex combination of several probabilities is again a probability between and 1 and 
the normalization remains because every part is normalized separately. The distribution 
is non-signaling because every single part is (the non-signaling property is linear) . There- 
fore, -PxY|uv ^ valid non-signaling probability distribution, and the two outcomes zq 
and z\ define a box partition. □ 

Lemma [H impHes that for showing an impossibility result, we can assume Eve's in- 
formation (the random variable to be binary. Moreover, we will now show that it is 
not necessary to determine both parts of the box partition explicitly, but we can find 
a condition on the box given outcome z = 0, which will make sure that there exists a 
second part, complementing it to a box partition. 

Lemma 6. Given a non-signaling distribution Pxy]uV! there exists a box partition with 
element {p, Pxy\uv^ ^''^'^ •Z^"'" inputs and outputs x, y, u, v, 

p- P^=^{xy\uv) <P{xy\uv). (4) 

Proof. The convex combination of boxes P^y\vy again a box. To prove that the 
outcome z = can occur with probability p it is, therefore, needed to show that there 
exists another valid outcome z = 1 which can occur with probability 1 — p, and that 
the weighted sum of the two is PxYluv- If -^xYluv ^® ^ normalized and non-signaling 
probability distribution, then so is -Pxy^uv because the sum of the two PxYluv is also 
non-signaling and normalized. Therefore, we only need to verify that all entries of the 
complementary box ^'xy|uv between and 1. However, this box is the difference 



1 



-PxYi^uv - Y~r^'-^^Y|uv ~-P ■ ^XY|uv) ■ 

Requesting this to be greater or equal to is equivalent to |[4]) . We observe that all entries 
of -PxY^uv trivially smaller than or equal to 1 because of the normalization: if 

the sum of positive summands is 1, each of them can be at most 1. □ 

2.2. Description of the Scenario and Security Criteria 

We study the scenario where Alice and Bob share several approximations of PR 
boxes. Alice and Bob can test the behavior of the boxes, but we assume that this has 
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already been done, and that the boxes behave exactly as expected by Alice and Bob; 
more precisely, we assume that AHce and Bob share n independent and unbiased PR 
boxes with error e, defined below. 

Definition 4. An unbiased PR box with error e is a system PxY\uVy where X, Y, U, V 
are bits, and for every pair {U, V) X and Y are random bits, and 

Prob [X ®Y = U - V]^!- e 

(see also ^). 

The marginal box as seen by Alice and Bob can, therefore, be expressed as 



-fxY|uv '■— W P. 



XiY,\UiVi I 



where PxiYi\UiVi is a single unbiased PR box with error e. This assumption only restricts 
Eve's possibilities as compared to the case when the marginal is not fixed. To create a 
key, Alice and Bob take a public input and a public hash function / and apply / to 
the outcomes of the boxes. The quality of the resulting key can be measured by the 
distance from the uniform distribution given the adversary's knowledge. In general, the 
goal of privacy amplification is to create a highly secure bit-string. However, the non- 
uniformity of the key is lower-bounded by the non-uniformity of a single bit; for showing 
the impossibility of privacy amplification, it is, therefore, enough to show that the non- 
uniformity of a single bit is always high. (Indeed, if Alice and Bob cannot even create a 
single secure bit, they can surely not create several secure bits.) 

Since in the protocol. Bob adjusts his output bit to Alice's after the exchange of their 
inputs, it is enough for Eve to know the output of Alice's hashing, /(x). For taking 
into account the most general non-signaling attack, we must assume that Eve can adapt 
her strategy to the choice of / and the inputs. In our case, it will in fact be sufiicient 
for Eve to choose a strategy with only two outputs, z = and z = 1, each occurring 
with probability 1/2, such that given z = 0, /(X) is maximally biased towards 0. The 
knowledge Eve has about the key bit /(X) can be seen as the non-uniformity of this 
bit, given her outcome z. Obviously, this quantity depends on Eve's strategy (the box 
partition she uses), Alice's and Bob's inputs and the hash function that is applied to the 
output bits. 

Definition 5. The non-uniformity of the bit /(X) given a box partition w and input 
u, V is 

= IT.P^ ■ |^XY|uv(/W = 0|uv) - PiY|uv(/W - l|uv) 

z 

Here i5^(u,v) = means that the eavesdropper has no knowledge about the bit /(X); 
on the other hand, i5£,(u, v) = 1/2 corresponds to complete knowledge. Our goal will be 
to show that the non-uniformity remains high, no matter what function Alice (and Bob) 
apply to their output bits and how many boxes they share. 
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2. 3. The Case of a Single Box 

In this section, we will show that the knowledge of a non-signaling adversary about 
the outcome of a box which is non-local is limited, i.e., we consider the case where 
PxY\uv corresponds to a single unbiased PR box with error e, and the function that is 
applied is the identity / = id. This is a more detailed justification for the claim already 
made in Section [L3l which also shows that the bound given there is tight. The marginal 
probability distribution as seen by Alice and Bob is given by 
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(5) 



The criteria that Alice cannot signal to Bob translates in this notation to the requirement 
that the probabilities in the light gray and dark gray areas are equal (and similarly for the 
other rows); that Bob cannot signal to Alice is expressed as the same kind of condition 
on the columns. The normalization criteria is that the probabilities within a double line 
must sum up to one. 

As an example, we assume that the input bits of Alice and Bob were (w, v) — (0, 0); for 
symmetry reasons it is clear that Eve has an equivalent strategy also for all other inputs. 
As shown in [2J|, the strategy giving maximal information about a bit to Eve is to choose 
a box partition with three outputs z — {0, 1, (5} such that if she obtains 2 = she knows 
with certainty that Alice's bit x is and if she obtains b Alice's bit is a random bit. 
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XY\UV 



Z=0 pZ=0 



XY\UV 



Z=l pZ=l 
P ^XY\UV ' 



where P^=°{x = 0|u = 0,u = 0) = 1 and P^='^{x = 1|m = 0, w = 0) 1 
that the marginal box of Alice and Bob is unbiased, we can conclude p^~" — p 

Using this box partition, the non-uniformity of the bit X is given by S^{0,0) 



From the fact 

_ ^z=i 



l/2{p 



z=o 



P 



Z=l\ 



p 



Z=0 



However, because of the convexity of the theory, we can 



easily define another box partition w' with only two outcomes, z' = Q and z' = 1, which 
also reaches this maximal non-uniformity by equally distributing the second {5) outcome 
into the two others: 



XY\UV 



Z'=OpZ'=0 
P ^XY\UV 



P 



= 1 pZ' = l 
^XY\UV ' 



where p 



z'=o 



^Z' = l 



= 1/2 and 



oZ'=(3 
XY\UV 



2p 



Z=0 pZ=0 

^XY\UV 



(1 - 2p^=")P 



XY\UV ■ 



We, therefore, only have to find the box that is maximally biased towards and which 
can occur with probability 1/2. According to (0]), this turns into a simple maximization 
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problem under linear constraints. The result can be written as follows (where the different 
entries of the table are Pxy\uv)'- 



V ^\ 















1 




Y 









1 







1 








i 

?. 


+ £ 





i 

2 


e 


1 


e 


i 
2 


- 2e 







1 










e 


1 

2 


1 


e 


i 

2 


- 2e 


i 

■2 


s 






(6) 



This box has a bias of 2£ towards 0: We have ~°{X = 0) = l/2 + 2£, which means that 
the non-uniformity of Alice's output bit given box partition w' is bounded by 6^, (0, 0) = 
P^'=0{X = 0)-l/2 = 2e. This implies that in the case e = 0.25, Eve can perfectly know 
Alice's output bit — which corresponds to our expectation since e = 0.25-boxes can be 
simulated with a local hidden- variable theory, and Eve could know the hidden variable. 
Additionally, for any non-local theory (i.e., e < 0.25), the non-signaling condition bounds 
the knowledge of a potential adversary; with perfect PR boxes, one perfectly secret bit 
per use is created, the confidentiality of which relies only on the non-signaling condition, 
as we have explained in Section [T73l 

3. Impossibility of Privacy Amplification by Linear Hashing 

In this section, we show that privacy amplification by applying a linear function — 
taking the XOR of some subset of the output bits — is impossible. Moreover, we will 
show that the more bits we take the XOR of, the more Eve can know. At the same time 
we try to give a more intuitive explanation of the possibilities Eve has, and explain why 
the strategy we give is actually a good strategy for Eve. The specific box partition we 
define here will also be used later in the case of general hash functions. 

3.1. Intuitive Presentation of the Argument 

Let us take as an example the case where AHce and Bob share only two boxes. Then 
we can define a table with input-output probabilities similar to |(5|) for the two boxes 
PxiX2YiY2\UiU2ViV2- Alice and Bob now have two bits of input and output. As the two 
boxes as seen by Alice and Bob are independent, the probabilities are simply the product 
of the input-output probabilities of each box. We give a part of this table — the part 
for the input (wi, U2, fi, W2) = (0, 0, 0, 0): 
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Now, imagine further that Eve learns the input (later, we will see that this is, in fact, 
not necessary for her strategy to work), and that the function Alice applies is the XOR 
(which is the only non-trivial linear function). In the table we mark gray all outcomes 
for which Alice's final bit is and as white the ones where she will get 1. What is 
Eve's strategy which gives her as much information as possible about Alice's final bit? 
Defining a strategy means constructing a decomposition of the double box into two parts 
corresponding to her two (equally likely) outputs: 




A B 



2=0 



A B 



2 = 1 



In fact, as we have seen before, we only need to construct one part -Pxy|uv ^u^h that z = 
can occur with probability 1/2 according to (j4]); the second part is then automatically 
defined. As Eve has learned the input 0000 and knows that the function AHce applies is 
the XOR, we try to make the box given measurement outcome z = maximally biased 
towards 0, that is, AHce's output bits should be likely to be either 00 or 11. In order 
to construct the conditional box, given measurement outcome z = 0, we start from the 
unbiased box as seen by Alice and Bob (given above) and shift around probabilities. 
More precisely, we try to take as much probability as possible out of the white area and 
put it into the gray area, therefore, biasing the XOR towards 0. However, we have to 
respect a few rules. 

1. All entries must remain probabilities between and 1. 

2. The normalization of the probability distribution must remain — this will not 
be a problem as we only move around probability weights within the same input, 
taking them out of one cell and putting them into another. 

3. The non-signaling condition must be satisfied — this implies that even the input 
is known, we must be able to define the conditional box, given output z = 0, for all 
inputs, and it must be possible to do this in a non-signahng way. We will not worry 
about this condition too much for the moment, as we will be able to show later 
that if we proceed as below for all inputs, the box obtained is in fact non-signaling. 
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4. There must exist a second measurement outcome z — I occurring with 
probability 1/2, and such that the conditional box, given outcome z = 1, is also 
a valid probability distribution. This box, given outcome z = 1, must be able to 
compensate for the shifts in probabilities. According to ([4]), this means that the 
entry in every cell must be smaller or equal twice the original entry. 

Rules [T] and [H together state that every new entry must be between and twice the 
original entry. 

Now, we can proceed row-wise in the picture (a row corresponds to one specific 
output on Bob's side) and look at the probabilities in the gray and white areas — i.e., 
the probability for Alice's final bit to be or 1 respectively. In case of the first row 
(corresponding to Bob's output y = yiy2 = 00), we see that the probability for Alice 
to obtain 00 or 11 is (1/2 — e/2)^ and (e/2)^, respectively, and to obtain 01 or 10 is 
(1/2 — e/2)(e/2) each. We try to take as much probability as possible out of the white 
area and put it into the gray area. If the sum of probabilities in the white area is smaller 
than the one in the gray area, we can take all probability weight out of the white cells 
and distribute it in the gray cells proportionally to the original entry. As the white 
area is smaller than the gray, this will at most double the gray entries, and all entries 
will be within the range allowed by ([4]). This is the case here: (1/2 - e/2)^ + (e/2)^ > 
2(1/2 — e/2)(e/2), hence, the new entries in the white cells will be 0, and the new entries 
in the gray cells will be less than twice the amount that was there before. We will call 
rows of this type y> and a generalization of this argument will lead to lfT3|) . ifH]) . 

The second row is different: The probabilities in the gray area are lower than the 
ones in the white area (2(1/2 - £/2)(£/2) < (1/2 - e/2f + {e/2f), so we cannot shift 
the entire probability into the gray cells, because this would more than double the en- 
tries. The best we can do is to exactly double the entries in the gray region, and take 
exactly this probability (proportionally) out of the white cells, which means the amount 
of probability that is shifted is 2(1/2 — e/2)(e/2). This type of row will be called y< Q, 
and the (generalized) expression of the new entries is given in ifTTI) , (fT2|) . 

So, whether we look at a row of type or y>, the amount of probability that is 
shifted is exactly the probability contained in the area with lower total probability (gray 
or white). The shifted probability will correspond exactly to the bias the box given 
outcome z = has, so we just have to count the lower of the two areas on every row. 
This is what is said in (fTSl . And this bias is exactly the non-uniformity of the key bit 
given box partition w. In our example of two boxes and the XOR, the probability shift 
(area with the lower probability) happens to be 2(1/2 — e/2){e/2) for every row, and 
there are four rows, therefore, S^J;^^pi J^OO, 00) = 4-2(l/2-e/2)(e/2) = 2e-2e'^. Finally, 
note that if we shift probabilities in this way for all inputs, the resulting box is in fact 
non-signaling. The fact that Alice cannot signal to Bob is satisfied because we do not 
shift probabilities between rows. Bob cannot signal to Alice because for every row, the 
same row (meaning: with the same sequence of probabilities) appears again for another 
input of Bob (maybe just in a different position) and the same shifts, therefore, occur 
for all inputs of Bob. 
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3.2. A Concrete (Good) Adversarial Strategy 

Now we will define formally the box partition we described informally in the previous 
section. We describe a box partition w which contains an element (1/2, P-^y|uv)' ^^'^ 
which gives a high non-uniformity of the key bit /(X). Our description will be rather 
general, such that this box partition can also be used when the function / is not the 
XOR. The probabilities P^=°(x, y, u, v) are defined in four cases according to x, y and 
the properties of the box Pxy|uv (in terms of the intuitive explanation above: whether 
we are in a white or gray cell, whether there is more probability in the white or the 
gray area and according to the original entry in that cell). For simpHcity, let us use the 
following notation: 

y< ■■= \y\ E ^(^yl"v)< E ^(^^yl^^)! ' (7) 

[ x|/(x)=0 x|/(x)=l J 

y> - <y| E ^(xy|uv)> E ^(^yl^^) [ > (8) 

[ x|/(x)=0 x|/(x)=l J 

xo := {x|/(x) = 0} , (9) 
XI := {x|/(x) = l}. (10) 

Then P^^'^(xy|uv) is defined as follows: 
For all X e Xo, y G y< : 

:,Z=0 



P^="(xy|uv) := 2.P(xy|uv). (11) 



For all X e xi, y € y< : 



E P(xy|uv)- E P(xy|uv) 

E - 

x|/(x)=l 



r,Z=0/ I \ x|/(x) = l x|/(x)=0 , , , 

P (xy|uv) := ^ P(xy|uv) ^(xy|uv) . (12) 



For all X e xo,y e y> : 



E P(xy|uv)+ E J'(xy|uv) 



rjZ=0/ I \ x|/(x) = l x|/(x)=0 

P (xy|uv) := ^ P(xy|uv) ^xyjuv) . (13) 



x|/(x)=0 



For all X e xi, y € y> : 



P^="(xy|uv) := . (14) 
Lemma 7. There exists a box partition with an element (p^^° = 1/2, P^^^{xy\uv)) . 
Proof. 

Alice cannot signal to Bob: 
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For all u, v and y G y<: 



^P^=0(xy|uv)= J2 2-P(xy|uv)+ (15) 

X x|/(x)=0 

E P(xy|uv)- E P(xy|uv) 

Ex'|/(x') = l x'|/(x')=0 
E P(xy|uv) 

x|/(x) = l x'|/^') = l 

= 2 ^ P(xy|uv)+ ^ P(xy|uv)- ^ P(xy|uv) 

x|/(x)=0 x|/(x) = l x|/(x)=0 



For all u, v and y £ y>: 

^P^="(xy|uv)= J2 (16) 

X x|/(x) = l 

E P(xy|uv)+ E ^(xy|uv) 

x'|/(x') = l x'|/(x')=0 

^ E ^(xyluv) 

-l/W=0 x'|/fe)=0 ^ ' ^ 

= ^ P(xy|uv)+ J2 ^(xy|uv) = i^. 

x|/(x) = l x|/(x)=0 

Bob cannot signal to Alice: For this, we need the fact that 

P(xy|uv') - P(xy'|uv) , 

where the i'th bit of y' is defined as :— yi © Ui ■ {v'^ — Vi) and, therefore, we have for 
all X, u, v: 

5]P^=0(xy|uv') - ^P^=0(xy'|uv)-^P^="(xy|uv) . (17) 
y y' y 

Normalization: This follows directly from (fT5| . (fT6| : 



$:p-"(xy|uv) ^ EfE^'^°(-yi-))=EF = i- 

x,y y \ X / y 

p^=o = 1/2: For the case p = 1/2 (gl) translates to P^=°(xy|uv) < 2 • P(xy|uv), which 
is satisfied due to the definition of P^^"(xy|uv). □ 

We can define a complementary box P^^^(xy|uv) = 2 ■ P(xy|uv) — P-^=°(xy|uv), 
to give a box partition 

^'xYluv = ^P^=°(xy|uv) + ip^=i(xy|uv) . 
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The bias of the bit /(X) for the box ^'xYluv ^^^^ therefore, also 5^{u,v) is given by 
i5|,(u, v) = ^min <! ^ P(xy|uv), 

J2 ^(xy|uv) \ , (18) 

y [x|/(x)=0 x|/(x)=l J 

3.3. The Impossibility Result 

We will now show that Alice cannot use any linear function — XOR of some of her 
output bits — to do privacy amplification. There always exists a box partition (namely 
w) such that the non-uniformity of the key bit given w is bigger than e, the error of 
the box: i5^(u,v) > e. Furthermore, taking the XOR of many output bits is actually 
counter-productive, as the non-uniformity of the key bit grows in the number of bits the 
XOR is taken of, and in the limit of large n, Eve can even have close-to-perfect knowledge 
about Alice's final bit. 

Lemma 8. For all linear hash functions f : {0, 1}" — > {0, 1}, the non-uniformity of the 
bit f{X) given box partition w is larger than e: S^{u, v) > e. 




Figure 4: The lower bound on the non-uniformity of the final bit (XOR of all outputs) as 
given by (fTOl) as function of number of boxes and error. Note that the non-trivial region 
of £ is below 0.25. 



Proof. If the function / is the XOR, we can explicitly determine the non-uniformity of 
the bit /(X) given the box partition w. In fact, we have either 



/ \ / -I \ n— 2 o 

n\ / 1 e \ / n \ /l e\ /e\^ 



n \ /I e 
n-AJ V2 " 2 



n- ly V 2 2) V2 

n— 3 



n \ /I e 

n-ij V2 ^ 2 
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n) \ 2 2) \n-2) \ 2 2} \2 

Tl — 4 



or vice versa. Therefore, 




which is larger than s for all n > 1, and shows that there exists a constant lower bound on 
the knowledge Eve can always obtain about the key bit by using this strategy. Further- 
more, at the limit of large n, the non-uniformity of the bit /(X) tends toward 1/2 and 
Eve can have almost perfect knowledge about Alice's output bit, no matter the original 
error of the box. □ 



4. Impossibility of Privacy Amplification by Any Hashing 

In this section, we look at the case where Alice and Bob apply any function of their 
choice to their output bits. First we will show that by using the box partition w defined 
in Section 13.21 Eve can gain the same knowledge for a given function, no matter what 
the input of Alice and Bob was. This property will make the argument simpler, as it will 
be sufHcient to look at the non-uniformity of the bit /(X) for the all-0 input. 

Lemma 9. The non-uniformity of the bit f{X) conditioned on the box partition w defined 
in Section [STSi is independent of the values of u, v, i.e., (5|,(it, v) = 

Proof. Let us first express the probability of the output x,y, given input u,v, as a 
function of the probabilities given the 0-input. 

[2^2) ■ V2J ' 

P(xy'|0...0) , 



P(xy|uv) = 
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where we have again defined y[ = Vi® Ui ■ Vi. Therefore, 

4(u,v) = ^min<^ ^ P(xy|uv), ^ P(xy|uv) 

y [x|/(x)=0 x|/(x)=l 

= ^minJ ^(xy'|0...0), ^('^y'lO-O) 

y' Ul/W=0 x|/(x)=l 

= ^minJ ^(xy|o-o)' E ^(xy|o-o) 

y [x|/(x)=0 x|/(x) = l 

= <5|(0...0,0...0) . 



□ 



Hence, we only have to find a lower bound on the non-uniformity (0...0, 0...0), which 
we can explicitly write as 

5^(0...0,0...0) = ^min<^ ^ 

y lx|/(x)=o 



x|/(x) = l 



2 2 




2 2 

n-d/f (x,y) 



Before we continue, wc have to introduce some basic facts about correlations: 

We will use the following expression for the distance from uniform of a random bit 

X: 

S{Px,Pu) = max(Px(0),Px(l))-i . 

The correlation Cxy between two random bits X and Y is the probability for the two 
bits to be equal, minus the probability for the two bits to be different 

CXY = P{X = Y)- P{X ^ Y) . 

Two equal random bits have correlation 1 and are called completely correlated, two ran- 
dom bits which are always different have correlation —1 and are called completely anti- 
correlated. 

Let us further notice here the following: Assume Ahce has a random bit-string X 
to which she apphes a public function / to obtain a single bit: / : X ^ {0)1}- Bob 
has a random bit-string Y which is correlated with X and he would like to calculate 
a bit Z that is highly correlated with /(X). Then the best achievable correlation is 
4/\x) = 2Ey[max(P(/(X) = 0\Z = z),P{f{X) = l\Z = z))] - 1, and it is reached by 
choosing Z to be (respectively 1) if /(X) is more likely to be (1) given the information 
Y. 
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Definition 6. Assume a random variable X, which is mapped to a bit /(X) G {0, 1}, 
and a random variable Y giving some information about the value of X. The maximum 
likelihood function g of /(X) given Y is the function g : Y — > {0, 1} defined as 



5(y) = 



ifP(/(X)-0|Y = y)>F(/(X) = l|Y = y) 

1 ifP(/(X) = 0|Y-y)<P(/(X) = l|Y = y) 



With these definitions, we can now show the key lemma for the derivation of our 
result. It states that Eve can always obtain knowledge proportional to the error in 
correlation between Alice's and Bob's key bit. 

Lemma 10. There exists a box partition w such that 51, = 1/2 — 1/2 • c/(x)g(r), where 
f,g : {0, 1}" — > {0, 1}, and where g is the maximum likelihood function of f{X) given Y. 

Proof. It suffices to show that the box partition w given in Section [3?2l (see (flSj) ) reaches 
this bound: 



5^ = J2 

y [xl/(x)=0 



x|/(x) = l 



y [x|/(x) = x|/(x) = l J 

= l-Ey[max(P(/(X)=0|Y = y),P(/(X) = l|Y = y))] . 

However, the last line is exactly equal to 1/2 — 1/2 - c^(x)g(Y)) where g is the maximum 
likelihood function of /(X) given Y. □ 

This means that unless Bob is able to create an output bit which is highly correlated 
with Alice's, the adversary can always obtain knowledge about the key bit. However, if 
Alice just applies the trivial function mapping all outputs to zero, then the correlation 
between Alice's and Bob's output bit could become 1, and this bound becomes trivial. 
We will now show that this does not help because in order to obtain a high correlation, 
Alice and Bob need to apply a biased hash function, and in that case the adversary can 
obtain high knowledge as well. 

The following theorem, proven by Yang shows the trade-off between randomness 
and correlation of two random bits. 

Theorem 11 (Yang [l^l). Suppose that Alice and Bob share n uniformly random bits 
with correlation 1 — 2e. Then the maximal correlation that can be reached if Alice and 
Bob both locally apply a function f (and g, respectively) to their n original bits is 1 — 
2s{l - 4^2), where 6 := max((5(Py(x), Pc/), S{Pg^Y), Pu))- 

Lemma [To] shows that if S is small, then Eve's knowledge is high. We now need to 
see whether we can lower-bound Eve's knowledge for the case of large S. For S to be 
large, either S{Pf(^x)j Pu) or d{Pg(j^'f, Pjj) needs to be large. Let us first show that if 
5{Pf(^x)T Pu) is large, then so is Eve's knowledge about /(X). But this is easy, as the 
non-uniformity of the bit /(X) is automatically also a lower-bound on the non-uniformity 
of /(X) as seen from Eve's point of view; i.e., if the key bit is biased, then an adversary 
has a priori information about it. This is stated in Lemma fT2l 
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Lemma 12. There exists a box partition w such that the non-uniformity of the bit f{X) 
is at least d{Pf(^x),Pu), i-e., Sl > 5{Pf(x),Pu)- 

Proof. This bound can be obtained by the trivial box partition: 

C parUUonM = \ ' Wifi^) = 0|uv) - P(/(X) = l|uv)l = <5(P/(x) , <20) 

□ 

We, therefore, found a second bound on the non-uniformity of the bit /(X) given 
^- ^no partition — '^(^/(x) i -P^)- It remains to exclude the case that 6 is large because 
(5(P/(x), -Pf/) is small and S{Pg(^Y)7 Pu) is large. 

Lemma 13. There exists a box partition w such that the non-uniformity of the bit f{X) 
is at least the absolute value of the difference between S{Pf(x)i Pu) o,nd 6{Pgi^Y)i Pu) , i-e-, 
5L>\5{PgiY).Pu)~5{Pf(x).Pu)\- 

Proof. It is enough to show that the box partition w reaches this bound. Note that when 
\5{Pg(y),Pu) — <5(P/(x)7 -Pf/)! is large, then the correlation between the bits /(X) and 
g{Y) must be low: 

c/(x)g(Y) = 2 • P(/(X) = .9(Y)) - 1 

< 2(1 - |<5(P,(Y),P[/) - 5{Pf(^),Pu)\) ~ 1 
= l-2|5(P,(Y),P[/)-<5(P/(x),P[/)| . 

Using Lemmalini we can connect the correlation with the non-uniformity of /(X) given w: 

\SiPgiY),Pu) - SiPf(^^),Pu)\ ^c/(x),(Y) = si . 

□ 

Using Lemma [TH and [131 we can now connect the non-uniformity of the bit /(X) 
with S: 

Lemma 14. For every hash function f , there exists a box partition w such that S^ > 
1/2 • S, where S :— max(5(P^(x)7 -fV)j <^(P'g(r); ^V)) o,nd g is the maximum likelyhood 
function of f{X) given Y. 

Note that the box partition w can depend on the choice of hash function / because 
the adversary can delay the choice of w. 

Proof. Lemmas [12] and [13] show that 

partition ^ ^ {Pf {:X.) : Pu) 

si > <5(Ps(Y),Pc/)-'5(P/(x),P[/) . 

This implies directly that there exists a suitable box partition (either w or the trivial 
one) such that Si > 1/2 • max((5(Pg(Y), Py), (5(P/(x), Pc/)) = 1/2 • S. □ 
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Figure 5: The lower bound on the non-uniformity of the final bit as function of the error 
of the boxes e. 



Now we can put all the previous lemmas together to obtain a general lower bound on 
the adversary's knowledge. 

Theorem 15. For every hash function f, there exists a box partition w such that the 
non-uniformity of the bit f{X) given w is at least ■ 



Proof. Lemmas [10] and [14] show that 
Si > 1/2-5 

si > l/2-l/2.c/(x),<,(Y) >£(l-452) , 

where S := max(5(Fj(x), Pfy), (5(Fg(Y), Pc))- Therefore, 4 > max(l/2 • S,e{l - 4(5^)), 
which takes its lowest value for 1/2 ■ 5 = e(l - 4(5^), namely 1/2- S= '^+'^2+^"^"' ■ 1^ 

Note that for small e, this lower bound actually gives a value of Si close to 2e; for e 
close to 0.25, it is still larger than e/2. We obtain a constant lower bound (see Fig. [5]) 
depending only on the error of the individual boxes s but not on the number of boxes 
n. This shows that the non-uniformity of the bit /(X), given w, can never become 
neghgible in the number n of boxes, and, therefore, privacy amplification of relativistic 
cryptography is impossible. 



5. Concluding Remarks 

Cryptographic security can be proven only if certain assumptions are made. This 
can be a limitation on the adversary's computing power, memory space, or accessible 
information. Another example is quantum cryptography, which is based on the accu- 
racy and completeness of the quantum-physical description of nature. Although this 
theory has been tested by a great number of experiments, it may be attractive to have 
an alternative, and to base cryptographic security on the fact that quantum or relativity 
theory is correct. An additional advantage — and more important in practice — of such 
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"non-signaling" schemes, first proposed by Barrett, Hardy, and Kent over traditjonal 
quantum cryptography, going back to Bennett and Brassard f?] as well as Ekert [U], is 
that the security is device-independent: Alice and Bob do not have to trust the man- 
ufacturer of the devices or, more precisely, in the fact that they are actually operating 
on the quantum systems they are supposed to be. They can derive the security directly 
from the correlations in their classical data. 

Unfortunately, it appears that such security cannot be achieved this way unless the 
physical systems are noiseless and the communication complexity is exponential in any 
reasonable security parameter (as it is the case for Barrett et al.'s protocol). Indeed, 
we have shown that one of the key ingredients for obtaining unconditional classical as 
well as quantum key agreement efficiently, namely privacy amplification, fails here. In 
this light, it may be even more surprising that general quantum privacy amplification 
is possible [l^. In particular, note that our impossibility result holds even for the case 
of collective attacks, for which the possibility of device-independent security has been 
shown An obvious open question is whether privacy amplification could be made 
possible by enforcing a time-Hke ordering between the n systems and therefore imposing 
a non-signaling condition in one direction. Physically, this would be easily reaHzable by 
measuring several quantum systems one after another. 
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